How does password bruteforcing work?

Document created by kb-author-1 Employee on May 17, 2010Last modified by Robert Dell'Immagine on Nov 11, 2013
Version 3Show Document
  • View in full screen mode

Product: QualysGuard

Category: Option_Profiles

Last Updated: 11/11/2013


Issue:  Describe how password brute forcing works in QualysGuard.




QualysGuard offers various levels of password bruteforcing from "No Brute Forcing" to "Exhaustive". The service attempts to obtain the local user list for a host and then log in using various username/password combinations. Note that the actual attempts made at each level is dependent on several factors.




  • Bruteforce level "Minimal" to test empty passwords for predefined accounts, including "Guest" (Windows), "Administrator" (Windows) and "SA" (MSSQL).
  • Bruteforce level "Limited": QualysGuard attempts to log in using username/username and username/empty. It tries each with two different protocols (NTLM and NTLMv2), leading typically to 4 login attempts per user.
  • Bruteforce level "Standard": Same as "Limited", but it also tries share bruteforcing. This applies to Windows 95/98/ME machines that are configured in share mode. For Windows 95/98/ME machines in user mode or Windows NT/2000/XP/2003 machines bruteforce level "Standard" is identical to "Limited". Share bruteforcing performs up to 60 attempts per share.
  • Bruteforce level "Exhaustive": Same as "Standard", but we also try "real" user bruteforcing (does not apply to Windows-95/98/Me machines in "share mode"). User bruteforcing tries a number of passwords, most of which are derived from the user name, but some passwords are also fixed. We usually attempt around 150 total passwords per user, but this may vary with the particular user name, and may also be cut short depending on host responsiveness and the number of users on the host.


The precise algorithms for Exhaustive bruteforcing are controlled through QualysGuard vulnerability signatures and are thus subject to change, but generally include the following: case changing, letter permutations, letter doubling/mirroring/rotating, adding prefixes or suffices (numbers etc.), truncating the user name, and replacing certain characters with certain other characters.


Please note that the bruteforce level setting controls bruteforcing in other protocols as well (Oracle, SSH, etc.), and the methods used for those other protocols differ somewhat from the methods used for NetBIOS.


Note: If a security policy exists that locks accounts after a certain amount of unsuccessful attempts, it can cause user accounts to get locked out. Do not use password bruteforcing in this case, or use only limited brute forcing and ensure the number of attempts is set to 5 or higher.


Scanning a domain controller with password bruteforcing is not recommended as it will obtain the domain user list and attempt each account, which can also lead to locked user accounts, especially when scanning multiple domain controllers.


In general, be aware that the number of login attempts a scan target or domain controller may see against the account can be much higher than assumed due to trying multiple login protocols for each password. 


Windows machines are sometimes configured to transparently authenticate against a domain controller. If more than one host is scanned at the same time, the number of login attempts against the domain controller further multiplies by the number of hosts. And, Windows may split each attempt further into more than one internal attempt.